Site icon API Security Blog

Amazon Linux 2 : ruby (ALASRUBY2.6-2023-006)

The version of ruby installed on the remote host is prior to 2.6.7-126. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY2.6-2023-006 advisory.

– An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

– The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. (CVE-2021-28965)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More

Exit mobile version